Data Breaches Reported by Medical Center Barbour; Monte Nido; Allergy Medical Group of the North Area
Medical Center Barbour in Alabama, Allergy Medical Group of the North Area in California, and the nationwide eating disorder treatment provider Monte Nido have reported cyberattacks involving unauthorized access to patient data.
Medical Center Barbour, Alabama
Medical Center Barbour in Eufaula, AL, reported a breach of the personal information of 61,014 individuals to the Maine Attorney General and notified the affected individuals on August 22, 2024. Suspicious activity was identified within its network on October 29, 2023, and cybersecurity specialists were engaged to investigate the incident. The investigation concluded on December 8, 2023, and confirmed that an unauthorized third party had accessed files and data stored on its network and may have exfiltrated data.
While the investigation was completed relatively quickly, it took until May 21, 2024, for the medical center to complete its internal review to determine the types of data involved, then a third-party data mining company was engaged to assist with the review of the data to allow notifications to be mailed. That process was completed on July 31, 2024. According to the notification letter to the Maine Attorney General, names, dates of birth, and taxpayer identification numbers were compromised. Complimentary credit monitoring and identity protection services have been offered to the affected individuals for 12 months. Additional monitoring tools have now been deployed and the medical center said it will continue to enhance the security of its systems.
Monte Nido, Florida
Monte Nido, Florida-based provider of treatment for eating disorders, has warned 41,662 current and former patients and employees about a cyberattack that was detected on September 22, 2023. Immediate action was taken to prevent further unauthorized access and third-party cybersecurity experts were engaged to assist with the investigation and determine the nature and extent of unauthorized activity. The investigation confirmed that an unauthorized third party had access to its network from September 16, 2023, to September 22, 2023.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
It has taken a considerable amount of time to review all of the affected files and determine the individuals who had data exposed and the exact types of information involved. The types of data involved varied from individual to individual and may have included names in combination with one or more of the following: address, phone number, date of birth, driver’s license number, government identification number, individual taxpayer identification number, birth certificate, email address/password, digital signature, passport number, Social Security number, financial account information (including account number, routing number or password), credit and/or debit card number with password or security code, worker’s compensation claim information, medical record number, patient account number, medical information, prescription information, dates of service, medical history, condition, treatment, or diagnosis, certificate and/or license number, and/or health insurance information.
Monte Nido said additional cybersecurity safeguards are being implemented, cybersecurity policies and procedures are being reviewed, and further cybersecurity training is being provided to the workforce. The affected individuals have been advised to be vigilant against incidents of identity theft and fraud by reviewing their account statements, explanation of benefits forms, and monitoring their credit reports. Complimentary credit monitoring and identity theft protection services do not appear to have been offered.
Allergy Medical Group of the North Area, Inc., California
On August 19, 2024, Roseville, CA-based Allergy Medical Group of the North Area, Inc., notified current and former patients about a cyberattack on its network that was detected on or around February 29, 2024. Its computer systems were rapidly secured, and third-party IT security and forensics specialists were engaged to investigate the incident and determine the scope and extent of the unauthorized access. The investigation concluded on July 25, 2024, and it was confirmed that patient data had been exposed and may have been acquired.
The compromised information varied from individual to individual and included names in combination with one or more of the following data types: mailing address, patient ID number, health information, date of birth, and financial account number. Additional safeguards and enhanced security measures are being implemented to prevent similar incidents in the future. The affected individuals have been offered complimentary single bureau credit monitoring/single bureau credit report/single bureau credit score services. At present, it is unclear how many individuals were affected by the incident.
